[GIT PULL] integrity subsystem updates for v6.0

Mimi Zohar <zohar@xxxxxxxxxxxxx> · Tue, 02 Aug 2022 17:55:14 -0400

Hi Linus,

Aside from the one EVM cleanup patch, all the other changes are kexec
related.

On different architectures different keyrings are used to verify the
kexec'ed kernel image signature.  Here are a number of preparatory
cleanup patches and the patches themselves for making the keyrings -
builtin_trusted_keyring, .machine, .secondary_trusted_keyring, and
.platform - consistent across the different architectures.

The root of trust for the different keyrings was described in the cover
letter and is retained in the merge message.

Note: Stephen is carrying a merge conflict patch with
commit 68b8e9713c8e ("x86/setup: Use rng seeds from setup_data").

thanks,

Mimi

The following changes since commit 067d2521874135267e681c19d42761c601d503d6:

  ima: Fix potential memory leak in ima_init_crypto() (2022-07-13 10:13:58 -0400)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v6.0

for you to fetch changes up to 88b61b130334212f8f05175e291c04adeb2bf30b:

  Merge remote-tracking branch 'linux-integrity/kexec-keyrings' into next-integrity (2022-07-26 15:58:49 -0400)

----------------------------------------------------------------
integrity-v6.0

----------------------------------------------------------------
Coiby Xu (3):
      kexec: clean up arch_kexec_kernel_verify_sig
      kexec, KEYS: make the code in bzImage64_verify_sig generic
      arm64: kexec_file: use more system keyrings to verify kernel image signature

Michal Suchanek (1):
      kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification

Mimi Zohar (1):
      Merge remote-tracking branch 'linux-integrity/kexec-keyrings' into next-integrity

Naveen N. Rao (2):
      kexec_file: drop weak attribute from functions
      kexec: drop weak attribute from functions

Xiu Jianfeng (1):
      evm: Use IS_ENABLED to initialize .enabled

 arch/arm64/include/asm/kexec.h        | 18 +++++++-
 arch/arm64/kernel/kexec_image.c       | 11 +----
 arch/powerpc/include/asm/kexec.h      | 14 ++++++
 arch/s390/include/asm/kexec.h         | 14 ++++++
 arch/s390/kernel/machine_kexec_file.c | 18 +++++---
 arch/x86/include/asm/kexec.h          | 12 +++++
 arch/x86/kernel/kexec-bzimage64.c     | 20 +--------
 include/linux/kexec.h                 | 82 +++++++++++++++++++++++++++++-----
 kernel/kexec_core.c                   | 27 ------------
 kernel/kexec_file.c                   | 83 +++++++++++++----------------------
 security/integrity/evm/evm_main.c     | 52 ++++++++++------------
 11 files changed, 195 insertions(+), 156 deletions(-)